I've created two new custom attributes in the UserProfile. When the service we wrote returns data about a specific user by using the UserProfile object, sometimes the data isn't returned, even though if we look at the user in SSP it look populated. Some users work; this is the first user we set up with data. I'm not sure if sometime in the meantime after setting up the first user and testing, if there's something we ran and need to run again. How can I get all the users to get their data returned in a call to their UserProfile?
It may be a language issue, perhaps you can detect a pattern in working/not working users and their language?
Have you looked at the visibility of the custom attributes? Is it possible that it's a question of who is supposed to be able see the attribute that is causing your issue?
It could be connected to when the profile was created and when the attributes were added.
Is there any pattern to which users work and which do not?
Try creating a new user, and see if the attributes are available for that user.
Related
I am developing a plugin that allows the user the post content that I am storing in an object in publicData. To identify the user that posted the data, I am storing the _id that is returned from buildfire.auth.getCurrentUser() in that publicData object along with the content of the post.
Is there a way I can access a list of the users of my plugin, then iterate through that to find the user with the corresponding _id? A list of the users of my plugin must exist somewhere, I just do not know how to/if I can access it.
Any help on this would be greatly appreciated!
I would recommend caching the user object's nonsensitive data. Remember, you have a bit more access to the logged-in user over fetching another user profile using the user id. https://github.com/BuildFire/sdk/wiki/How-to-use-Auth#buildfireauth-getuserprofileoptionscallback
Since the user profile picture URL is really an API, you don't have to worry about the user changing it since it will always return the latest. The other property I recommend you cache is the Display name (not the first name and last name) since that rarely changes as well. This way your performance wont suffer and you can do a lazy fetch for a distinct list of user ids an update them as needed. KNowing most wont need an UI updates since nothing changed
So i have been struggling with this one question some time now:
How to handle details Page or deep linking on the Frontend.
So, say, we got a paged collection endpoint with user entities in it and a React App consuming the endpoint.
The flow would be, user authenticates, gets collections, clicks on an item and is either:
Redirected to a new Url say: webapp.com/users/userid
A modal opens with the user details.
Say we got a scenario were two people working with the webapp, Person 1 wants to share a link with Person 2. Person 2 should do some updates on a specific user, which is identified by the link.
The link should be something like : https://www.webapp.com/users/{slug or id}
With Option 2 this functionality is not mappable.
With Option 1 we got to expose the ids in the response to identify the resource, which may work, but we would still need to hardcode the url, as the findById method is not exported as a Uri Template.
So, my Solution would be to add a slug for the resources, implement a search method by the slug, and then get the user, if found, by its self-link.
Sounds like a good solution for me, but on the other hand, I would have to add an extra frontend id(the slug here) which would need to be also unique, to the database model.
So how do you guys handle a problem like this, or is there anybody using spring data rest in this way or in production mode where you have the handle situations like this?
Should mention that this isn’t a primary problem with spring data rest but rather with hateoas itself.
thanks in advance
Florian
You don't need to hardcode URL template. Spring data rest will generate links for each resource.
You can refer to it from front end by some format like: {your_user_object}._links.self.href
before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).
Is there a hook for when a member's details are updated either by the user or by the admin system?
What i'm trying to do is have two custom fields; long and lat which are populated by using google maps api's geocoding functions.
I need this to be automatic so that when an account is created, a call is made and the long/lat fields are updated and if the user is updated then we check to see if the address data has changed and if it has, re-request the long/lat.
I can find hooks for member create but not for update unless i've not spotted something.
Is there one stashed away somewhere? Or is it possible I can crow-bar one in somehow?
The version of expression engine is 2.2.2
There is no hook for the update_member() method, you are correct. You could look at using the session_start hook, and then checking for $_POST['edit_profile'] within that hook method ... all of the new data should be in $_POST, with $_POST['id'] being the member_id.
I've setup up a custom user property via central admin and set the value on a couple of my users. That said when I query the User Information List using Query Builder I'm not seeing values for the field. I've even tried specifying the fields to return via ViewFields.
Anyone have any experience with this? Any other suggestions?
Thanks!
Casey
i've also searched a while, but the closed i came to was this... i ended up using the UserProfileService instead, like described in this article.